On Tue, 5 Jan 2021 19:30:13 GMT, Valerie Peng <valer...@openjdk.org> wrote:
>> When a multi-part cipher operation fails in SunPKCS11 (i.e. because of an
>> invalid block size), we now cancel the operation before returning the
>> underlying Session to the Session Manager. This allows to use the returned
>> Session for a different purpose. Otherwise, an CKR_OPERATION_ACTIVE error
>> would be raised from the PKCS#11 library.
>>
>> The jdk/sun/security/pkcs11/Cipher/CancelMultipart.java regression test is
>> introduced as part of this PR.
>>
>> No regressions found in jdk/sun/security/pkcs11.
>
> test/jdk/sun/security/pkcs11/Cipher/CancelMultipart.java line 122:
>
>> 120: cipher.doFinal(new byte[1], 0, 0);
>> 121: } else {
>> 122: cipher.update(new byte[1]);
>
> Why only calling update(..) for Cipher encryption would lead to Exception?
> Seems strange...
Because a C_EncryptUpdate call that returns with an error here [1] implies that
a session (with an active operation) is returned to the Session Manager here
[2] [3]. For decryption, where we have proper padding on the Java side while
doing an update, the test exercises the doFinal path. Decryption/Encryption is
anecdotal here: what the test wants is coverage on both update and doFinal
paths.
--
[1] -
https://github.com/openjdk/jdk/blob/1cc09ccaef9a3695dd2862e3ee121e141e0a8a13/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java#L584
[2] -
https://github.com/openjdk/jdk/blob/1cc09ccaef9a3695dd2862e3ee121e141e0a8a13/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java#L631
[3] -
https://github.com/openjdk/jdk/blob/1cc09ccaef9a3695dd2862e3ee121e141e0a8a13/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java#L423
-------------
PR: https://git.openjdk.java.net/jdk/pull/1901
